EMV: Your Best Defense Against Counterfeit Card Fraud by Paragon Application Systems

.................

..................

.......................................

EMV: Your Best Defense Against Counterfeit Card Fraud

www.paragonedge.com

Counterfeit card fraud occurs when criminals create counterfeit cards from stolen card data and use those cards for illegitimate transactions. Most often the card data has been stolen (or skimmed) from the card’s magnetic stripe during legitimate card use. While the ﬁrst defense against counterfeit card fraud may be to prevent skimming and to determine how to recognize transactions perpetrated with skimmed data; the best defense against counterfeit card fraud is migration to EMV1. This paper explains how chip cards that employ the EMV standard provide your best defense against counterfeit card fraud, and offers suggestions for further measures your organization can take as an EMV Acquirer or EMV Issuer to prevent counterfeit card fraud.

Counterfeit card fraud occurs when criminals create counterfeit cards from stolen card data and use those cards for illegitimate transactions. Chip cards that employ the EMV standard provide your best defense against counterfeit card fraud. This paper explains how, and offers suggestions for further measures your organization can take as an EMV Acquirer or EMV Issuer to prevent counterfeit card fraud.

1 EMV™ is a trademark owned by EMVCo LLC. For further information on the EMV standard, visit http://www.emvco.com

Paragon Application Systems

326 Raleigh Street

Holly Springs NC 27540

(919) 567-9890

www.paragonedge.com

Obtaining Data for Counterfeit Cards: Skimming Put simply, skimming is capturing card data from

Skimming has been used for decades; ﬁrst in major

the magnetic stripe without the customer’s knowl-

metropolitan areas, then spreading to smaller sub-

edge.

urban settings where consumers are less likely to know what to look for at or on the terminal.

How is data from a magnetic stripe card skimmed?

Unfortunately, the availability of inexpensive,

There are many ways magnetic stripe data can be

easy-to-use skimming tools and a fairly simple

skimmed during card use; for example, thieves can:

process means skimming is increasing, especially in non-EMV markets. More sophisticated skimming

• Insert a device into or in front of an ATM’s card

reader and record data from the magnetic stripe as the card is swiped or inserted

• Record the raw data (magnetic waveform) as

audio using an MP3 player or other digital audio recorder, then convert the audio to binary data

• Use a hacked Bluetooth headset or mobile phone

to collect waveform data as audio from a safe distance, then use signal processing software to convert spikes in waveforms into zeroes and ones

• Use a hand-held skimming device to read data

methods (cellphones and wireless technology) have allowed skimming to be perpetrated at gas pumps, grocery store self-checkouts, restaurants, etc.

How do thieves obtain the PIN for use with skimmed card data? While some card fraud can be conducted using only the skimmed data from the magnetic stripe, obtaining the PIN facilitates much more costly fraud.

from the card when it has been presented for a purchase (for example, to a server in a restaurant or to a salesclerk in a store)

Paragon Application Systems

326 Raleigh Street

Holly Springs NC 27540

(919) 567-9890

www.paragonedge.com

There are many methods for capturing PINs while skimming card data, such as:

What security methods are used to protect magnetic stripe cards from skimming?

• Using a concealed digital video camera to record

Both physical (hardware) and software methodolo-

keyed entries at the ATM

gies are used to combat skimming of card data from

• Capturing the PIN directly using a keypad that

overlays the ATM keypad. Keystrokes are stored in ﬂash memory for later retrieval.

• Gather data wirelessly via wireless webcam or other small remote camera

• Use a cell phone as a remote-activated video

magnetic stripe cards at the ATM. Combatting fraud at the point of sale is more difﬁcult, and relies more on consumer education (for example, teaching consumers to avoid carrying or writing down their PIN, to keep their cards in view during purchases, etc.).

camera that transmits clips back to another phone

How do thieves use the skimmed data? • Create counterfeit cards. The data is recorded on

a blank magnetic stripe and the counterfeit card is used at an ATM or a POS device.

• Conduct card-not-present (CNP) fraud; for exam-

ple, using the skimmed data for online purchases. No physical card is required.

• Sell the skimmed data in bulk through online exchanges

The physical methods used to protect magnetic stripe cards from skimming include:

• Installing a shield around the PIN pad and the card reader slot

• Using devices that interfere with the recording and transmitting of card data by external readers (jamming their electronic signals)

• Installing sensors that can detect: • Alterations to the ATM face • Devices attached to card readers • Objects placed in front of card reader slots • Radio waves emitted in close proximity to the terminal

Paragon Application Systems

326 Raleigh Street

Holly Springs NC 27540

(919) 567-9890

www.paragonedge.com

Unfortunately, most software methods used for ATM and POS fraud detec-

A chip can’t be easily or completely cloned, and provides inherent hardware and software protection against tampering.

tion focus on identifying fraud after it has occurred, not on preventing card data from being skimmed. Anti-skimming fraud software measures include software that:

• Monitors transaction patterns, watching for activity that falls outside of a normal pattern

Even if partial data is read from the chip, the required keys for generating and verifying the cryptogram are inaccessible.

• Uses a neural network, rules, or analytics to detect potentially fraudulent transaction activity

• Consults geographical databases of known skimming attacks

Comparing EMV Transaction Data and Magnetic Stripe Transaction Data

Verifying the cryptogram proves the card initiating the transaction is genuine.

How does the chip provide better security than the magnetic stripe against counterfeit card fraud?

• The chip can’t be easily (or completely) cloned. • The chip provides inherent hardware and software protection against tampering

• Even if a thief can read partial data from the chip, the keys required to generate and verify cryptograms are inaccessible

• A cryptogram is generated for every EMV transaction request. Verifying the cryptogram in the request proves the card used to initiate the transaction is genuine. This provides a higher degree of conﬁdence in the legitimacy of a transaction initiated by an EMV chip card than a transaction initiated by a magnetic stripe card.

Paragon Application Systems

326 Raleigh Street

Holly Springs NC 27540

(919) 567-9890

www.paragonedge.com

What Information in an Online EMV Transaction Request is Valuable in Fraud Determination? Some of these transaction request ﬁelds are present today in magnetic stripe

Online EMV Transaction Request Data New/Rev Track 2 for EMV? Revised

Field Separator

transaction requests, but

have different values when

Magnetic stripe was read 1234560000000001=1111120000001001001

Data is from the ICC Application in the chip 1234560000000001D1111220000001001001

used in online EMV trans-

Service Code, Position 1

actions. Some ﬁelds, such as DE55, are new and are only present with EMV. The

Revised

examples here illustrate a

1 or 5

Card created as magnetic stripe card

2 or 6

Card supports contact EMV

Often indicates contactless EMV

DE22 (Point of Service Data Code)

few of the many possible

Position 1 (Card Data Input Capability) Identiﬁes the primary means of getting the data on the card into the terminal, i.e. what the terminal supports

variations in request data,

Magnetic stripe

ICC

including data from suspect

Position 7 (Card Data Input Mode) Identiﬁes the method that was actually used to input data from the card into the terminal, i.e. how the data was actually obtained

transactions. NOTE: The statements about potential liability are based on our understanding, but have not been conﬁrmed by the payment networks.

New

Magnetic stripe

ICC

DE55 (ICC Data) Presence of DE55, speciﬁcally the application cryptogram, indicates the chip was read successfully

Request Data in Good Online Transactions Magnetic stripe card at non-EMV terminal

Magnetic stripe card at EMV-enabled terminal

Chip card at non-EMV terminal

Chip card at EMV-enabled terminal; chip read successfully

Track 2 Data source

Magnetic stripe

Chip

Field Separator

Value of Service Code, Position 1

1 or 5

2 or 6

Terminal Capability as per DE22

Terminal is not EMV-enabled

Terminal is EMV-enabled

Terminal is not EMV-enabled

Terminal is EMV-enabled

Data Input Method as per DE22

Magnetic stripe was read

Chip was read successfully

Presence or Absence of ICC Data (DE55)

Absent

Present, including cryptogram

Paragon Application Systems

326 Raleigh Street

Holly Springs NC 27540

(919) 567-9890

www.paragonedge.com

Request Data in Suspect or Fraudulent Online Transactions Valid chip card at EMV-enabled Terminal; chip not read (Technical Fallback)

Cloned chip card at non-EMV Terminal; chip not read

Cloned chip card at EMV-enabled Terminal; chip not read

Cloned chip card at EMV-enabled Terminal; chip read

Cloned chip card presented at EMV-enabled Terminal as a magnetic stripe card; no attempt to read chip

Track 2 Data Source

Magnetic stripe

Chip

Magnetic stripe

Field Separator

Value of Service Code, Position 1

2 or 6

Changed by thief from “2” to “1”

Terminal Capability as per DE22

Terminal is EMV-enabled

Terminal is not EMV-enabled

Terminal is EMV-enabled

Data Input Method as per DE22

Magnetic stripe read or technical fallback (chip was not read successfully)

Magnetic stripe read successfully

Chip was not read successfully

Chip was read successfully

Magnetic stripe read

Presence or Absence of ICC Data (DE55)

Absent

Present, but cryptogram is generated by incorrect key

Absent

More Information

Typically, Acquirers should not decline the transaction, but should send the transaction request to the Issuer as usual. (However, verify the regional and network regulations in effect.) The transaction could be a legitimate cardholder with a valid card that has a damaged chip, or it could be indicative of counterfeit fraud.

Thief skimmed the magnetic stripe data from a chip card. The cloned card has magnetic stripe data from the chip card, but there is no chip. To the Issuer, the transaction would seem to indicate a valid chip card was used at a non-EMV Terminal. If the issuer approves the transaction, the acquirer (as the non-EMV-compliant party) may be liable for the fraud.

Thief skimmed the magnetic stripe data from a chip card. The cloned card has magnetic stripe data from the chip card, but there is no chip. To the Issuer, the transaction would appear to be a fallback transaction. Because the transaction occurred at an EMV-enabled Terminal, the acquirer will most likely not be liable for the fraud

The transaction data contains a cryptogram that was generated by a key other than the key associated with the real card. Thief skimmed the magnetic stripe data from a chip card, and placed it on a chip card containing invalid keys. If the Issuer can’t verify the cryptogram, they should decline the transaction. Multiple declines for the same card for the same reason should raise a red ﬂag

Thief skimmed magnetic stripe data from a chip card, altered the ﬁrst byte of the service code from 2 to 1, then recorded the data on the magnetic stripe of a blank card. Cloned card appears to be a legitimate magnetic stripe card; and the terminal will not try to read a chip. The Authorization System will not be able to verify the card security code. Authorization System must be able to identify chip cards (e.g. by BIN) to avoid this type of fraud

Paragon Application Systems

326 Raleigh Street

Holly Springs NC 27540

(919) 567-9890

www.paragonedge.com

How Can Acquirers Prevent Counterfeit Card Fraud?

How Can Issuers Prevent Counterfeit Card Fraud?

EMV is not going to prevent all counterfeit card

Make sure your authorization system can identify

fraud, therefore Acquirers must continue fraud pre-

technical fallback and potential skimming scenarios.

vention practices they already have in place.

In some of the “problem” scenarios, it appears that

• Hardware shields, jammers, sensors • Consumer awareness programs • Transaction monitoring, analysis, reporting When an Acquirer implements EMV, the organiza-

a chip card was used at an EMV-enabled Terminal, but the chip could not be read. Your authorization system and/or fraud detection system must monitor the following:

tion must extend its fraud prevention to include the following:

• What is the frequency of this event for any given

• Use proven software releases and EMV kernels

• Where is the problem occurring (locally, domesti-

card?

• Make sure every ATM uses a truly random

number generator. A recent scam affected ATMs that did not generate truly random numbers, and thieves were able to predict the “random number” pattern.

• Comply with applicable payment association and network requirements related to fallback

• Test as many scenarios as possible before en-

cally, internationally)?

• Are there combinations of data in the transaction that don’t make sense?

• Type of card/service code • Terminal capability • Data entry mode • Type of transaction

abling EMV in production

Paragon Application Systems

326 Raleigh Street

Holly Springs NC 27540

(919) 567-9890

www.paragonedge.com

Comply with payment association and network re-

In addition, when fallback or other potential problem

quirements related to fallback. Within these guide-

scenarios are detected, Issuers should:

lines, establish your own “best practices.”

• Validate additional information in the online transaction request, such as the Application Transaction Counter (ATC) and the card security code (iCVV) sent by the chip

• Be able to easily identify your cards as magnetic stripe or chip

• If possible, issue chip cards with a new extended BIN

• If using the same BIN or PAN for your magnetic

stripe cards and chip cards, establish and use a “magnetic stripe vs. chip” indicator in your database.

• Establish reporting and troubleshooting proce-

dures. Involve account management and customer service/help desk staff.

• Determine when and how to contact the acquirer or network

• Ensure that the Authorization System automatically logs messages to alert staff

• Notify the appropriate teams so proactive mea-

sures can be taken, e.g. contacting cardholders to verify suspicious transaction activity

Although most EMV transactions go online to a host system for authorization, consider issuing chip cards that support offline PIN and offline authentication.This will benefit international travelers and will provide additional security in situations where the host system is not available.

Summary While EMV (chip) cards offer increased security and signiﬁcant reduction of counterfeit card fraud, even chip-and-PIN technology cannot completely elimi-

• Determine when and how to contact the card-

holder to verify that transactions are legitimate

nate all card fraud. As long as people and technology are imperfect, there will be fraud. Fraud detection and prevention demand constant vigilance.